All articles tagged with SuSE

Mozilla Firefox was updated to version 3.6.20. Mozilla developers and community members identified and fixed several memory safety bugs in the browser engine used in Firefox 3.6 and other Mozilla-based products. Gary Kwong, Igor Bukanov, Nils and Bob Clary reported memory safety issues which affected Firefox 3.6. Security researcher regenrecht reported that a SVG text manipulation routine contained a dangling pointer vulnerability. Mozilla security researcher moz_bug_r_a_4 reported a vulnerability in event management code that would permit JavaScript to be run in the wrong context, including that of a different website or potentially in a chrome-privileged context.

Security researcher regenrecht reported that appendChild did not correctly account for DOM objects it operated upon and could be exploited to dereference an invalid pointer. Mozilla security researcher moz_bug_r_a4 reported that web content could receive chrome privileges if it registered for drop events and a browser tab element was dropped into the content area. Security researcher shutdown reported that data from other domains could be read when RegExp.input was set.

Mozilla Firefox was updated to version 6. Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances. Aral Yaman reported a WebGL crash which affected Firefox 4 and Firefox 5. Vivekanand Bolajwar reported a JavaScript crash which affected Firefox 4 and Firefox 5. Bert Hubert and Theo Snelleman of Fox-IT reported a crash in the Ogg reader which affected Firefox 4 and Firefox 5.

Mozilla developers and community members reported memory safety issues which affected Firefox 4 and Firefox 5. Rafael Gieschke reported that unsigned JavaScript could call into script inside a signed JAR thereby inheriting the identity of the site that signed the JAR as well as any permissions that a user had granted the signed JAR. Michael Jordon of Context IS reported that an overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code.

Michael Jordon of Context IS reported a potentially exploitable heap overflow in the ANGLE library used by Mozilla’s WebGL implementation. Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability. Mike Cardwell reported that Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Daniel Veditz reported that redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy. nasalislarvatus3000 reported that when using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain.

Mozilla Thunderbird was updated to 3.1.12 fixing various security issues. Many of the issues are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may also enable such issues to be exploited. Updated packages are available from download.opensuse.org.

Mozilla identified and fixed several memory safety bugs in the browser engine used in Firefox 4, Firefox 5 and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Updated packages are available from download.opensuse.org.

Mozilla Seamonkey suite was updated to version 2.3. Miscellaneous memory safety hazards Mozilla identified and fixed several memory safety bugs in the browser engine used in SeaMonkey 2.2 and other Mozilla-based products. Aral Yaman reported a WebGL crash. Vivekanand Bolajwar reported a JavaScript crash. Bert Hubert and Theo Snelleman of Fox-IT reported a crash in the Ogg reader.

Mozilla developers and community members reported memory safety issues. Rafael Gieschke reported that unsigned JavaScript could call into script inside a signed JAR thereby inheriting the identity of the site that signed the JAR as well as any permissions that a user had granted the signed JAR. Michael Jordon of Context IS reported that an overly long shader program could cause a buffer overrun and crash in a string class used to store the shader source code.

Michael Jordon of Context IS reported a potentially exploitable heap overflow in the ANGLE library used by Mozilla’s WebGL implementation. Security researcher regenrecht reported via TippingPoint’s Zero Day Initiative that a SVG text manipulation routine contained a dangling pointer vulnerability. Mike Cardwell reported that Content Security Policy violation reports failed to strip out proxy authorization credentials from the list of request headers. Daniel Veditz reported that redirecting to a website with Content Security Policy resulted in the incorrect resolution of hosts in the constructed policy.

nasalislarvatus3000 reported that when using Windows D2D hardware acceleration, image data from one domain could be inserted into a canvas and read by a different domain. Updated packages are available from download.opensuse.org.

This update of libmodplug0 fixes various following issues. An integer overflow error exists within the CSoundFile::ReadWav() function when processing certain WAV files. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a specially crafted WAV file. Boundary errors within the CSoundFile::ReadS3M() function when processing S3M files can be exploited to cause stack-based buffer overflows by tricking a user into opening a specially crafted S3M file. An off-by-one error within the CSoundFile::ReadAMS() function can be exploited to cause a stack corruption by tricking a user into opening a specially crafted AMS file.

An off-by-one error within the CSoundFile::ReadDSM() function can be exploited to cause a memory corruption by tricking a user into opening a specially crafted DSM file. An off-by-one error within the CSoundFile::ReadAMS2() function can be exploited to cause a memory corruption by tricking a user into opening a specially crafted AMS file.

The implementation of the blowfish based password hashing method had a bug affecting passwords that contain 8bit characters (e.g. umlauts). Affected passwords are potentially faster to crack via brute force methods. Updated packages are available from download.opensuse.org.

A security bug was fixed in Xen A bug was found in the way Xen handles CPUID instruction emulation during VM exits. An unprivileged guest user can potentially use this flaw to crash the guest. Updated packages are available from download.opensuse.org.

This kernel update for the SUSE Linux Enterprise 10 SP4 kernel fixes several security issues and bugs. The Datagram Congestion Control Protocol (DCCP) implementation did not properly handle packets for a CLOSED endpoint, which allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet. The add_del_listener function did not prevent multiple registrations of exit handlers, which allowed local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application. An integer overflow in the agp_generic_insert_memory function allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call.

Multiple integer overflows in the agp_allocate_memory and agp_create_user_memory functions allowed local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. The agp_generic_remove_memory function did not validate a certain start parameter, which allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBINDagp_ioctl ioctl call. When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users.

The do_task_stat function did not perform an expected uid check, which made it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary. The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. A local unprivileged user able to access a NFS filesystem could use file locking to deadlock parts of an nfs server under some circumstance.

The code for evaluating LDM partitions contained bugs that could crash the kernel for certain corrupted LDM partitions. Multiple integer overflows in the next_pidmap function allowed local users to cause a denial of service (system crash) via a crafted getdents or readdir system call. Integer overflow in the _ctl_do_mpt_command function might have allowed local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow.

drivers/scsi/mpt2sas/mpt2sas_ctl.c did not validate length and offset values before performing memory copy operations, which might have allowed local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions. Updated packages are available from download.opensuse.org.

This update of ecryptfs-utils fixes several security problems, including race conditions when checking mountpoint during mount and unmount, and an improper mtab handling allowing corruption due to resource limits, signals, etc.

This update of the Adobe Flash player resolves multiple buffer overflow, integer overflow, and memory corruption vulnerabilities that could lead to code execution. Updated packages are available from download.opensuse.org.

Flash-Player was updated to version 10.3.188.5 to fix various buffer and integer overflows. Earlier flash-player versions can be exploited to execute arbitrary code remotely with the privileges of the attacked user. Updated packages are available from download.opensuse.org.

The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.43 and fixes various bugs and security issues. The normal mmap paths all avoid creating a mapping where the pgoff inside the mapping could wrap around due to overflow. However, an expanding mremap() can take such a non-wrapping mapping and make it bigger and cause a wrapping condition. A local unprivileged user able to access a NFS filesystem could use file locking to deadlock parts of an nfs server under some circumstance. Fixed a race between ksmd and other memory management code, which could result in a NULL ptr dereference and kernel crash.

In both trigger_scan and sched_scan operations, we were checking for the SSID length before assigning the value correctly. Since the memory was just kzalloced, the check was always failing and SSID with over 32 characters were allowed to go through. This required CAP_NET_ADMIN privileges to be exploited. A malicious user or buggy application could inject diagnosing byte code and trigger an infinite loop in inet_diag_bc_audit(). The code for evaluating LDM partitions contained bugs that could crash the kernel for certain corrupted LDM partitions.

Multiple integer overflows in the next_pidmap function allowed local users to cause a denial of service (system crash). The proc filesystem implementation in the Linux kernel did not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allowed local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls. When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users. Kernel information via the TPM devices could by used by local attackers to read kernel memory.

The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code. In a bluetooth ioctl, struct sco_conninfo has one padding byte in the end. Local variable cinfo of type sco_conninfo was copied to userspace with this uninitialized one byte, leading to an old stack contents leak. In a bluetooth ioctl, struct ca is copied from userspace. It was not checked whether the “device” field was NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack.

In ebtables rule loading, struct tmp is copied from userspace. It was not checked whether the “name” field is NULL terminated. This may have lead to buffer overflow and passing contents of kernel stack as a module name to try_then_request_module() and, consequently, to modprobe commandline. The econet_sendmsg function allowed remote attackers to obtain potentially sensitive information from kernel stack memory by reading uninitialized data in the ah field of an Acorn Universal Networking (AUN) packet. The IPv4 and IPv6 implementations did not place the expected ‘0’ character at the end of string data in the values of certain structure members, which allowed local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.

Multiple integer overflows allowed local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages. An integer overflow allowed local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BINDagp_ioctl ioctl call. The bcm_release function did not properly validate a socket data structure, which allowed local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation.

The raw_release function did not properly validate a socket data structure, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a crafted release operation. Updated packages are available from download.opensuse.org.

A remote Denial of Service vulnerability has been fixed in bind. Specially crafted packets could cause bind servers (recursive as well as authoritative) to exit. Updated packages are available from download.opensuse.org.

A remote Denial of Service vulnerability has been fixed in the BIND DNS nameserver. Specially crafted packets could cause bind servers (recursive as well as authoritative) to exit. Updated packages are available from download.opensuse.org.

This kernel update for the SUSE Linux Enterprise 10 SP3 kernel fixes several security issues and bugs. Multiple integer overflows in the next_pidmap function allowed local users to cause a denial of service (system crash). Boundschecking was missing in AARESOLVE_OFFSET in the SCTP protocol, which allowed local attackers to overwrite kernel memory and so escalate privileges or crash the kernel. A heap-based buffer overflow in the ldm_frag_add function might have allowed local users to gain privileges or obtain sensitive information via a crafted LDM partition table.

When using a setuid root mount.cifs, local users could hijack password protected mounted CIFS shares of other local users. Kernel information via the TPM devices could by used by local attackers to read kernel memory. The Linux kernel automatically evaluated partition tables of storage devices. The code for evaluating EFI GUID partitions contained a bug that causes a kernel oops on certain corrupted GUID partition tables, which might be used by local attackers to crash the kernel or potentially execute code. In the IrDA module, length fields provided by a peer for names and attributes may be longer than the destination array sizes and were not checked, this allowed local attackers (close to the irda port) to potentially corrupt memory.

A system out of memory condition (denial of service) could be triggered with a large socket backlog, exploitable by local users. The Radeon GPU drivers in the Linux kernel did not properly validate data related to the AA resolve registers, which allowed local users to write to arbitrary memory locations associated with (1) Video RAM (aka VRAM) or (2) the Graphics Translation Table (GTT) via crafted values. When parsing the FAC_NATIONAL_DIGIS facilities field, it was possible for a remote host to provide more digipeaters than expected, resulting in heap corruption. Local attackers could send signals to their programs that looked like coming from the kernel, potentially gaining privileges in the context of setuid programs.

The code for evaluating LDM partitions contained bugs that could crash the kernel for certain corrupted LDM partitions. The code for evaluating Mac partitions contained a bug that could crash the kernel for certain corrupted Mac partitions. The code for evaluating OSF partitions contained a bug that leaks data from kernel heap memory to userspace for certain corrupted OSF partitions. Specially crafted requests may be written to /dev/sequencer resulting in an underflow when calculating a size for a copy_from_user() operation in the driver for MIDI interfaces.

Due to a failure to validate user-supplied indexes in the driver for Yamaha YM3812 and OPL-3 chips, a specially crafted ioctl request could have been sent to /dev/sequencer, resulting in reading and writing beyond the bounds of heap buffers, and potentially allowing privilege escalation. A information leak in the XFS geometry calls could be used by local attackers to gain access to kernel information. The sctp_rcv_ootb function in the SCTP implementation allowed remote attackers to cause a denial of service (infinite loop). Updated packages are available from download.opensuse.org.

Subversion was updated to fix several security issues: The mod_dav_svn Apache HTTPD server module can be crashed though when asked to deliver baselined WebDAV resources. The mod_dav_svn Apache HTTPD server module can trigger a loop which consumes all available memory on the system. The mod_dav_svn Apache HTTPD server module may leak to remote users the file contents of files configured to be unreadable by those users. Remote attackers could crash an svn server by causing a NULL deref. Updated packages are available from download.opensuse.org.

Opera 11.11 fixes a security vulnerability. Framesets allow web pages to hold other pages inside them. Certain frameset constructs are not handled correctly when the page is unloaded, causing a memory corruption. To inject code, additional techniques will have to be employed. Updated packages are available from download.opensuse.org.

A critical vulnerability has been identified in Adobe Flash Player 10.3.181.23. This memory corruption vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages. Updated packages are available from download.opensuse.org.

This update provides bind 9.6ESVR4P1 which fixes a denial of service vulnerability that can be triggered by very large RRSIG RRsets in a negative response and crash named. Updated packages are available from download.opensuse.org.